The DHS Office of Cybersecurity and Communications (OCC) published a request for comments in today’s Federal Register (80 FR 30258-30259) on the formation of Information Sharing and Analysis Organizations (ISAOs) for cybersecurity information sharing, as directed by Executive Order 13691. This request for comments is roughly associated with the ISAO workshop being conducted by DHS on June 9th.
The request for comments is looking generally for comments on the ISAO program outlined in EP 13691 and specifically for answers to 8 questions (the verbiage says five questions but lists 8; either a typo or poor editing):
1. Describe the overarching goal and value proposition of Information Sharing and Analysis Organizations (ISAOs) for your organization.
2. Identify and describe any information protection policies that should be implemented by ISAOs to ensure that they maintain the trust of participating organizations.
3. Describe any capabilities that should be demonstrated by ISAOs, including capabilities related to receiving, analyzing, storing, and sharing information.
4. Describe any potential attributes of ISAOs that will constrain their capability to best serve the information sharing requirements of member organizations.
5. Identify and comment on proven methods and models that can be emulated to assist in promoting formation of ISAOs and how the ISAO “standards” body called for by E.O. 13691 can leverage such methods and models in developing its guidance.
6. How can the U.S. government best foster and encourage the organic development of ISAOs, and what should the U.S. government avoid when interacting with or supporting ISAOs?
7. Identify potential conflicts with existing laws, authorities that may inhibit organizations from participating in ISAOS and describe potential remedies to these conflicts.
8. Please identify other potential challenges and issues that you believe may affect the development and maturation of effective ISAOs.
While DHS is soliciting public feedback, there is nothing in the notice that specifically tells people how to provide that feedback. There is, however, a docket (DHS-2015-0017) set up on the Federal eRulemaking Portal (www.Regulations.gov) for submitting these comments. Comments should be submitted by June 10th, 2015.